tests: More explicit errors for OCSP and SCEP

2018-01-05 12:42:14 +00:00 · 2018-01-05 12:42:14 +00:00 · 098aa5657d
parent 67dcf4a156
commit 098aa5657d
3 changed files with 38 additions and 20 deletions
--- a/certidude/api/ocsp.py
+++ b/certidude/api/ocsp.py
@ -1,4 +1,5 @@
 import click
+import falcon
 import hashlib
 import os
 from asn1crypto.util import timezone
@ -14,19 +15,22 @@ from oscrypto.errors import SignatureError
 class OCSPResource(object):
    @whitelist_subnets(config.OCSP_SUBNETS)
    def __call__(self, req, resp):
-        if req.method == "GET":
-            _, _, _, tail = req.path.split("/", 3)
-            body = b64decode(tail)
-        elif req.method == "POST":
-            body = req.stream.read(req.content_length or 0)
-        else:
-            raise falcon.HTTPMethodNotAllowed()
+        try:
+            if req.method == "GET":
+                _, _, _, tail = req.path.split("/", 3)
+                body = b64decode(tail)
+            elif req.method == "POST":
+                body = req.stream.read(req.content_length or 0)
+            else:
+                raise falcon.HTTPMethodNotAllowed()
+            ocsp_req = ocsp.OCSPRequest.load(body)
+        except ValueError:
+            raise falcon.HTTPBadRequest()

        fh = open(config.AUTHORITY_CERTIFICATE_PATH, "rb") # TODO: import from authority
        server_certificate = asymmetric.load_certificate(fh.read())
        fh.close()

-        ocsp_req = ocsp.OCSPRequest.load(body)
        now = datetime.now(timezone.utc)
        response_extensions = []

--- a/certidude/api/scep.py
+++ b/certidude/api/scep.py
@ -39,7 +39,7 @@ class SCEPBadCertId(SCEPError): code = 4
 class SCEPResource(object):
    @whitelist_subnets(config.SCEP_SUBNETS)
    def on_get(self, req, resp):
-        operation = req.get_param("operation")
+        operation = req.get_param("operation", required=True)
        if operation.lower() == "getcacert":
            resp.body = keys.parse_certificate(authority.certificate_buf).dump()
            resp.append_header("Content-Type", "application/x-x509-ca-cert")
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@ -312,12 +312,6 @@ def test_cli_setup_authority():
    r = requests.get("http://ca.example.lan/api/revoked/")
    assert r.status_code == 200, r.text

-    # Check that SCEP and OCSP are disabled by default
-    r = requests.get("http://ca.example.lan/api/ocsp/")
-    assert r.status_code == 404, r.text
-    r = requests.get("http://ca.example.lan/api/scep/")
-    assert r.status_code == 404, r.text
-
    # Test command line interface
    result = runner.invoke(cli, ['list', '-srv'])
    assert not result.exception, result.output
@ -1077,13 +1071,13 @@ def test_cli_setup_authority():
    ### Test that legacy features are disabled by default ###
    #########################################################

-    r = client().simulate_get("/api/scep/")
+    r = requests.get("http://ca.example.lan/api/scep/")
    assert r.status_code == 404
-    r = client().simulate_get("/api/ocsp/")
+    r = requests.get("http://ca.example.lan/api/ocsp/")
    assert r.status_code == 404
-    r = client().simulate_post("/api/scep/")
+    r = requests.post("http://ca.example.lan/api/scep/")
    assert r.status_code == 404
-    r = client().simulate_post("/api/ocsp/")
+    r = requests.post("http://ca.example.lan/api/ocsp/")
    assert r.status_code == 404


@ -1115,6 +1109,9 @@ def test_cli_setup_authority():
    else:
        os.waitpid(spn_pid, 0)

+    r = requests.get("http://ca.example.lan/api/")
+    assert r.status_code == 502, r.text
+
    # Make modifications to /etc/certidude/server.conf so
    # Certidude would auth against domain controller
    os.system("sed -e 's/ldap uri = ldaps:.*/ldap uri = ldaps:\\/\\/ca.example.lan/g' -i /etc/certidude/server.conf")
@ -1154,12 +1151,29 @@ def test_cli_setup_authority():
        assert not result.exception, result.output
        return

-    sleep(5) # Wait for serve to start up
+    # Wait for serve to start up
+    for j in range(0,10):
+        r = requests.get("http://ca.example.lan/api/")
+        if r.status_code != 502:
+            break
+        sleep(1)
+    assert r.status_code == 401

    # CRL-s disabled now
    r = requests.get("http://ca.example.lan/api/revoked/")
    assert r.status_code == 404, r.text

+    # OCSP and SCEP should be enabled now
+    r = requests.get("http://ca.example.lan/api/scep/")
+    assert r.status_code == 400
+    r = requests.get("http://ca.example.lan/api/ocsp/")
+    assert r.status_code == 400
+    r = requests.post("http://ca.example.lan/api/scep/")
+    assert r.status_code == 405
+    r = requests.post("http://ca.example.lan/api/ocsp/")
+    assert r.status_code == 400
+
+
    assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_cert.pem -cert /var/lib/certidude/ca.example.lan/signed/roadwarrior2.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp1.log") == 0
    assert os.system("openssl ocsp -issuer /var/lib/certidude/ca.example.lan/ca_cert.pem -cert /var/lib/certidude/ca.example.lan/ca_cert.pem -text -url http://ca.example.lan/api/ocsp/ -out /tmp/ocsp2.log") == 0